COLDRIVER APT updates attack arsenal as pro-Ukrainian hackers target Russia

Intrusions deploying the novel BAITSWITCH and SIMPLEFIX payloads have been launched by Russian advanced persistent threat operation COLDRIVER, also known as Star Blizzard, Callisto, and UNC4057, as part of a new ClickFix-like campaign, according to The Hacker News.

Malicious CAPTCHA checks have been used by COLDRIVER to lure victims into running the illicit BAITSWTICH DLL in the Windows Run dialog box to retrieve SIMPLEFIX, which then enables PowerShell script, command, and remote URL-hosted binary executing, a report from Zscaler ThreatLabz showed.

"The COLDRIVER APT group is known for targeting members of NGOs, human right defenders, think tanks in Western regions, as well as individuals exiled from and residing in Russia. The focus of this campaign closely aligns with their victimology, which targets members of civil society connected to Russia," said Zscaler researchers.

Another report from Kaspersky detailed that Russian firms have been targeted by the pro-Ukrainian hacktivist group BO Team in a phishing campaign earlier this month that involved updated BrockenDoor and ZeronetKit payloads, while a separate analysis from F6 showed the nascent Bearlyfy threat group's intrusions against Russia involving the LockBit 3.0 and Babuk ransomware strains.

Bearlyfy was noted to be an independent operation despite being linked with the pro-Ukrainian PhantomCore gang.